Block lan -> wan with iptables?

What I want to do is block all traffic and only allow lan to wan traffic on certain ports. The ports would be 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 443 (https), and icmp (ping and traceroute).

I guess I would need a rule to block / drop traffic and rules to allow traffic on certain ports.

Is this possible with iptables and if so what are the correct commands to do so. I'd try to figure it out myself, but iptables confuses me.

P.S. - I think you should use -I in your rules, not -A. -A will append rules to the bottom of the chain, in which case any given packet might match an iptables rule already higher up in the list. Thus you will probably not get the desired firewall effect with -A (unless you flush all existing rules first, but this will make much more work).

Only thing I'm not sure about at this point is -I or -A and the rule for icmp.

Edit: Looks like I can use -I and specify a rule #. Something like -I FORWARD 1, -I FORWARD 2, and so on.

Using the command (iptables -L -nv --line-numbers) you gave me, I see that there is 8 rules in the forward chain by default.

If I specify rule numbers for the new rules that I add, will the existing rules get moved down the list, but maintain its current order? I'm thinking that the current order should be maintained, but I want to make sure.

As the referred article explains, FTP's data connection is made on port 20, but with "active FTP", the client IP (which is 172...) is specified in the FTP command to the server. In "passive FTP", the IP of the server is used, so always use passive FTP from behind a NAT firewall.

SFTP is of course the best, as it encrypts and sorts out the IP/port business, but it's slower.

It sounds like passive FTP could still be an issue with these firewall rules. From the FTP client's point of view, passive FTP seems to use a random outgoing TCP port (one that the server itself provided, and one which is also hard to predict. Thus it may be difficult to create an iptables ACCEPT rule for).

With active mode however, it is possible to specify external IP and range of local ports in some FTP client software (Filezilla for example). Maybe that is a solution, if you're able to use Active mode with the server.